San Mateo, CA, January 26, 2026 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
DOGE staff tied to possible Social Security data exposure
Court documents reveal that two members of Elon Musk’s Department of Government Efficiency (DOGE) may have accessed and potentially shared Social Security numbers while assisting a political advocacy group seeking to overturn election results in certain states. The disclosure emerged through corrected testimony from Social Security Administration (SSA) officials amid ongoing legal challenges over DOGE’s access to sensitive SSA data. According to the Justice Department, the advocacy group asked DOGE members embedded at the SSA to analyze voter rolls it had obtained to identify alleged voter fraud. One DOGE member reportedly signed and sent a voter data agreement, despite a court order at the time restricting access to private SSA records. Investigators say data may have been accessed on unapproved third-party servers. The employees were referred for possible Hatch Act violations, and questions remain over whether any data was ultimately shared. Read more.
CISA leadership grilled over staffing cuts
Lawmakers pressed the acting head of CISA over staffing cuts and leadership decisions during a contentious House Homeland Security Committee hearing. Acting director Madhu Gottumukkala faced bipartisan questioning about personnel reductions, a reported attempt to remove the agency’s chief information officer, and whether CISA still has enough staff to fulfill its mission. Democrats voiced sharp concerns, citing workforce losses that they said have weakened national cyber defenses. Rep. Bennie Thompson entered records showing CISA staffing fell from 3,387 employees to 2,389, a reduction of nearly 1,000 people, figures Gottumukkala essentially confirmed. While he argued attrition remained relatively low and staffing was sufficient, he declined to provide exact vacancy numbers or confirm whether formal workforce assessments had been conducted. Read more.
RealHomes WordPress plugin flaw enables site takeovers
A patched security vulnerability in the RealHomes CRM plugin could have allowed low-privileged users to upload malicious files and seize control of affected WordPress sites. The flaw impacted versions 1.0.0 and earlier and stemmed from a CSV import feature that permitted any logged-in user with Subscriber access or higher to upload arbitrary files. Researchers found the upload mechanism lacked basic safeguards, including permission checks and file type validation, allowing attackers to place executable files on the server and potentially achieve full site compromise. The plugin is bundled with the widely used RealHomes theme, which powers more than 30,000 real estate websites and includes tools for listings, payments, and front-end management. Read more.
Fake mobile tower used in Athens phishing scheme
Greek police dismantled a mobile phishing operation that relied on a fake cell tower concealed inside a vehicle to blast scam messages across the Athens metropolitan area. Authorities said the suspects used a rogue mobile base station, commonly known as an SMS blaster, to impersonate legitimate telecom infrastructure and force nearby phones to downgrade from 4G to the far less secure 2G network. That downgrade allowed the attackers to collect phone numbers and deliver phishing texts posing as banks or courier services, ultimately tricking victims into handing over payment card details that were later used for fraudulent transactions. Police stopped the suspects after reports of suspicious activity and discovered a hidden computing system in the trunk connected to a roof-mounted transmitter disguised as a shark-fin antenna. Similar vehicle-based SMS blaster attacks have been documented in the U.K., Thailand, Indonesia, and Qatar, often involving Chinese-linked operators. Read more.
Microsoft and Anthropic AI servers expose new attack risks
The rapid expansion of model context protocol (MCP) servers is introducing a dangerous new attack surface across the AI ecosystem, according to recent disclosures from Cyata and BlueRock. Researchers found that widely trusted MCP servers, including Microsoft’s MarkItDown and Anthropic’s official Git and filesystem implementations, contain serious flaws that enable server-side request forgery and even remote code execution. In Microsoft’s case, unrestricted URI handling allowed attackers to access internal cloud metadata services and potentially extract AWS credentials. Separately, Cyata demonstrated how multiple medium-severity flaws in Anthropic’s Git MCP server could be chained with filesystem access and indirect prompt injection to execute arbitrary commands. Read more.
AI-built Linux malware hits 88,000 lines
The newly discovered VoidLink Linux malware framework shows how artificial intelligence is reshaping modern malicious code development, according to new research from Check Point and Sysdig. Investigators believe the advanced Linux framework was primarily built by a single developer using an AI coding agent to accelerate planning, testing, and implementation. VoidLink, written in Zig and designed for persistent access to Linux-based cloud environments, grew to more than 88,000 lines of code within weeks. Researchers identified multiple indicators of AI involvement, including uniform API naming, template-like responses, placeholder data, and highly structured documentation written in Chinese. While no real-world infections have been observed, analysts warn that the project highlights how AI dramatically lowers the barrier to building sophisticated cyber tools. Read more.
LinkedIn messages used to spread RAT malware
Cybersecurity researchers have identified a new phishing campaign abusing private messages on social media platforms to deliver malware and establish persistent remote access. According to ReliaQuest, attackers contact high-value individuals on LinkedIn, build trust, and trick victims into downloading a malicious WinRAR self-extracting archive. The package contains a legitimate PDF reader, a malicious DLL, a Python interpreter, and a decoy file. When executed, the PDF reader sideloads the rogue DLL, which installs the interpreter and creates a registry key for persistence. The malware executes Base64-encoded shellcode directly in memory and communicates with external servers to exfiltrate data. Researchers warn that social media messages lack monitoring and represent an expanding attack surface beyond traditional email phishing defenses. Read more.
Fake ad blocker drives ClickFix attacks
Researchers at Huntress have uncovered a new ClickFix-style attack dubbed CrashFix that uses a malicious browser extension called NexShield to crash Chrome and Edge deliberately. The extension creates infinite chrome.runtime port connections, exhausting system memory, and causing frozen tabs, high CPU usage, and browser failure. After a restart, victims are shown a fake security warning prompting them to run commands in Windows Command Prompt. The copied command launches an obfuscated PowerShell script that downloads additional malware after a delay. Domain-joined systems are infected with ModeloRAT, a remote access trojan capable of reconnaissance, persistence, and command execution. Huntress attributes the campaign to threat actor KongTuke, noting growing interest in enterprise environments. Removing the extension alone is insufficient, as payloads remain active and require complete system cleanup. Read more.
China military develops quantum cyber tools
China’s military has disclosed new details about its efforts to apply quantum technology to cyber operations, signaling a shift toward data-driven planning for warfare. According to Science and Technology Daily, the People’s Liberation Army is developing more than 10 experimental quantum cyber tools, with some already tested during front-line missions. The program, led by a supercomputing laboratory at the National University of Defense Technology, combines quantum computing, artificial intelligence, and cloud platforms to accelerate intelligence processing. PLA researchers believe quantum systems could analyze massive battlefield datasets in seconds, enabling faster command decisions. The report also highlights quantum sensing for detecting stealth aircraft and quantum navigation systems resistant to jamming or spoofing. Read more.
Ingram Micro ransomware breach hits 42,000
Ingram Micro confirmed that a July 2025 ransomware attack resulted in a data breach affecting more than 42,000 individuals and exposing sensitive employee and applicant information. The technology distributor said attackers accessed internal file repositories between July 2 and 3, stealing documents containing names, contact details, dates of birth, Social Security numbers, passport data, and employment records. The incident caused an outage that disrupted internal systems and forced employees to work remotely. While Ingram Micro has not attributed the breach, BleepingComputer reported that the SafePay ransomware group was responsible. SafePay later claimed the attack on its leak site, alleging the theft of 3.5TB of data. The group is known for double extortion tactics and has become an active ransomware operation in 2025. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
